This Firefish Data Processing Agreement (“DPA”), between the Customer (“the Controller”) and Firefish Software (“the Processor”) reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the Firefish - Terms of Service (the “Agreement”).
This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement and will form a part of the Agreement. We periodically update these terms. If you have an active Firefish subscription, we will let you know when we do via an email or in-app notification.
Last updated: January 2020
To request a copy of our Data Processing Agreement click here
1.1 In this Agreement all words and phrases shall have the meanings provided in the foregoing Agreement and as follows:-
“GDPR” means the UK GDPR and where applicable Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
“Data Protection Law” shall mean the Data Protection Act 2018 and any other legislation amending and/or repealing the same, the General Data Protection Regulation 2016/679/EC (“GDPR”) and all relative European Union and Member State data protection legislation in force and as amended or replaced from time to time;
“National Law” shall mean the law of the Member State in which the Processor is established;
"Personal Data" shall mean any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number or to one or more factors specific to his physical, physiological, mental, economic cultural or social identity;
“Personal Data Breach” means:
1 - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2 - any non-conformance with the security standards set out in https://www.firefishsoftware.com/trust.aspx
“Working Day” means any day other than Saturday, Sunday or a public holiday in the UK.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
"Processing" shall mean any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
"Sub-contract" and "Sub-contracting" shall mean the process by which either party arranges for a third party to carry out its obligations under this Agreement and "Sub Contractor" shall mean the party to whom the obligations are subcontracted;
“Sub-Processor” means a Processor engaged by the Supplier to carry out specific Processing activities on behalf of the Company.
“Third Party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
"Technical and Organisational Security Measures" shall mean all reasonable measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored of otherwise processed, and against all other unlawful forms of Processing.
2.1 The Parties hereby acknowledge and agree that the following is an accurate description of the Processing of data to be carried out by the Parties:-
Subject matter and duration of Processing - The Processor will process Personal Data on behalf of the Controller in the course of providing the Services to the Controller and for as long as the Controller is using the Services provided by the Processor.
Nature and purpose of Processing - The Processor will process Personal Data to provide hosted recruitment services (Software as a Service) to the Controller.
Types of Personal Data to be processed - Name, address, email address, telephone number, occupation, employer, remuneration, employment history, CV’s. job seeking activity, marketing subscriptions, work preferences, professional certifications and ID documentation.
Categories of Data Subject to whom Personal Data relates - Candidates and prospective candidates of the Controller.
3.1 The Processor shall comply with the security, confidentiality and other obligations imposed on it under this Agreement and ensure compliance with Data Protection Law and, in particular, process all Personal Data on behalf of the Controller only for the purposes of performing its obligations under this Agreement and in accordance with the written instructions given by the Controller from time to time, and shall not modify or amend Personal Data unless specifically authorised in writing by the Controller.
4.1 The Processor shall ensure that any system on which the Processor or any Approved Sub-contractor holds Personal Data, including backup data, is secure and ensures complete data integrity in accordance with the data security requirements and with good industry practice.
The Processor, as a minimum requirement, shall give due consideration to the following types of security measures listed as a minimum below;
Further information can be seeing in our Data Security Policy.
5.1 The Processor shall maintain the Personal Data processed by the Processor on behalf of the Controller in confidence. In particular, the Processor shall, save with the prior written consent of the Controller, not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Controller to any third party.
5.2 The Processor shall not make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller.
5.3 Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed on it by a regulator or court. The parties shall, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of Personal Data.
8.1 This Agreement shall continue in full force and effect for so long as the Processor is Processing Personal Data on behalf of the Controller under the Terms of Services.
8.2 This Agreement shall terminate automatically on termination of provision of services by the Processor to the Controller.
8.3 On cancellation of this Agreement, the Processor shall promptly (and in any event within 5 working days of termination) cease Processing the Personal Data (whether provided by the Controller or which are derived from Personal Data provided by the Controller) and permanently and securely destroy the Personal Data so that it is no longer retrievable. The Processor shall provide such information as is necessary to enable the Controller to satisfy itself of the Processor’s compliance with this clause.
Firefish Software Ltd has an established process for reporting breaches of information security to regulatory bodies, the Data Controller and/or to customers affected by the breach.
9.1 Investigation & Communication - Immediately on identification of a breach, the issue is flagged to our Head of Current Version and internal Data Protection Officer. The breach is investigated with urgent priority to establish what the issue is and who is affected. If immediate action is possible – for example, a password change – this will be done straight away.
The relevant Client Success Champion will be advised of the issue, what is being done, and timeframes around this as soon as we become aware. They will then contact the affected client/s within 24 hours to provide as much information as is possible around the data security breach. Where feasible, this information will be provided on a telephone call involving the Client Success Champion, DPO, and the affected client/s. This telephone call will be followed up with an email confirming the information that has been provided.
If it is not feasible to convey the information in a time-sensitive manner (e.g. due to the number of clients affected or availability of client contact) full information relating to the details of the breach, what is being done to resolve the issue and timeframes around this will be provided by email to the client system Superusers.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will provide details of those individuals potentially affected and the risk, so that the client can inform them of the details of the breach.
In cases where a breach affects all Firefish client sites, an announcement and relevant updates will be available on our Announcements page
If data has been lost, we can restore a backup of the database and files directly from our internal backups and aim to do so within a 2-hour period of notification of the event occurring.
The most recent Database Backup will be restored from internal backups to return the data to its state prior to the fault occurring (up to 30 minutes’ data loss) and any missing files will be restored from the secondary file backups (up to 7 days’ data loss).
9.2 Notification - In instances of the occurrence of a data security breach where it is likely that there will be a risk to people’s rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 3 days of becoming aware of the essential facts of the breach. The information we provide to the ICO will include a description of the nature of the personal data breach including, where possible:
• the categories and approximate number of individuals concerned
• the categories and approximate number of personal data records concerned
• the name and contact details of our data protection officer or other contact point where more information can be obtained
• a description of the likely consequences of the personal data breach
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Whether a data security breach is reported to the ICO or not, it will be recorded internally. We will document the facts relating to the breach, its effects and the remedial action taken.
The outcome of the investigation will be reviewed at management level, and corrective steps implemented, where appropriate, to ensure as much as is possible that a recurrence is prevented.
Contact - Our data protection lead may be contacted in relation to any queries or concerns or you have regarding your Personal Data or if you wish to exercise any of your rights. Please contact Richard Mullan at firstname.lastname@example.org or by calling 0141 648 8520.
To request a copy of our Data Processing Agreement click here